This is up to your specific environment, but if you run elasticsearch on the same host as Timesketch you should lock it down to only listen to localhost.
The configuration for Elasticsearch is located in /etc/elasticsearch/elasticsearch.yml